High severity7.1NVD Advisory· Published Mar 16, 2026· Updated Apr 9, 2026
CVE-2026-26133
CVE-2026-26133
Description
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Affected products
20cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:android:*:*+ 1 more
- cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:android:*:*range: <16.0.19815.10000
- cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:iphone_os:*:*range: <2.107.2
cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:android:*:*+ 1 more
- cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:android:*:*range: <16.0.19822.20038
- cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:iphone_os:*:*range: <2.106.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133nvdVendor Advisory
News mentions
17- Microsoft warns of Exchange zero-day flaw exploited in attacksBleepingComputer · May 15, 2026
- Simple bypass of the link preview function in Outlook Junk folder, (Thu, May 14th)SANS Internet Storm Center · May 14, 2026
- AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?The Register Security · May 13, 2026
- Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening EnterprisesSecurityWeek · May 13, 2026
- Microsoft May 2026 Patch Tuesday, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026
- TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook WormsThe Hacker News · May 8, 2026
- Why the approaching flood of vulnerabilities changes everything — and what to do about itTenable Blog · May 8, 2026
- New TCLBanker malware self-spreads over WhatsApp and OutlookBleepingComputer · May 7, 2026
- VECT: Ransomware by design, Wiper by accidentCheck Point Research · Apr 28, 2026
- Chinese APT Abuses Multiple Cloud Tools to Spy on MongoliaDark Reading · Apr 24, 2026
- IR Trends Q1 2026: Phishing reemerges as top initial access vector, as attacks targeting public administration persistCisco Talos Intelligence · Apr 22, 2026
- DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the ProxyCheck Point Research · Apr 20, 2026
- More than pretty pictures: Wendy Bishop on visual storytelling in techCisco Talos Intelligence · Apr 16, 2026
- The n8n n8mare: How threat actors are misusing AI workflow automationCisco Talos Intelligence · Apr 15, 2026
- Patch Tuesday - April 2026Rapid7 Blog · Apr 14, 2026
- Russia Hacked Routers to Steal Microsoft Office TokensKrebs on Security · Apr 7, 2026
- Iran-Backed Hackers Claim Wiper Attack on Medtech Firm StrykerKrebs on Security · Mar 11, 2026